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manager to interface between a directory and distributed 
networic components. In use the service manager can 
create, update, delete and search Information in the 
direaory. The directory is X500 or LDAP compliant and 
comprises domains with each domain having object types 
for users, profiles, services and infrastructure Items. The 
directory data model further comprises profile service, 
user service and infrastructure service configuration 
objects such that a user is assigned to a profile, wherein 
the profile determines access to services running on the 
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profile and by the Infrastructure configuration object when 
associated with a particular piece of infrastructure. A user 
may be assigned to a plurality of profiles and domains may 
also comprise sub-domains. 
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ATTTOMATRn PROVIST ONING SYSTEM 

B ACKcaiou>a) of the invention 

The invention relates generally to an Automated Proviaoning System (APS system) 
which is adapted to centralize and automate infonnation management for online 
s^vices. 

When new personnel or users are first allowed access onto an online service, 
which may be provided by service providers such as Tetecommunications Conoqpanies 
(Telcos), ccnrporations or enterprises^ fiir example busnesses or offices hsviiig fheir 
own internal onfine services, the new pmonnci or users have to go through a 
registratira rmtme in order to enable them to use the online service. The r^straticm 
routme involves die new user providing mformation, such as an idotity code, to a 
central point so that each time the us^ logs onto the service, then their details are 
verified and the user is permitted by means of an q>propriate identity code, to access 
pre-defined parts <tf die service. The vser on r^jstratton wiU have been given 
penmission to access certun parts of iSbt online qrstem accordiqg to the levd of access 
that they require. For the customer of a service provider the level of access win be 
detennmed by the s^ce that has been assigned as a resuh of complettqg an onfine 
r^istration fynsu For exanqde a customer responds to a promotion that has been 
distributed by a service provider and regi^ers for the onhne service via the mtmiet^ For 
aiQ employee of a conqyany the level of access may be determined by theh poation in a 
compwy and the work that they are required to perform. For exanQ>le, the managing 
director of a company is likdy to be allowed access to all services, ran^ng fiiom 
accoimting, to p^^omiel and compai^ strategy. In contrast a secretary may have access 
only to services or information that he needs to actually work on and will be denied 
access to other parts of the online services system 

Further^ in organisations wfaidi are located on a number of office sites, it may 
be necessary on r^stration to specify the exact location of that employee within the 
organisation, for example if they are located at site A or site B because the enq>loyee 
imII be registered as uang a particular conopiter terminal at a particular site. Howevor, 
if that eoQployee is rdocated in the oigamsation and is moved to another office stte^ a 
re-registration procedure must take place to take account of that rdocation to another 
office and terminal. This means that on relocation, there will be a delay in the 
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individual recommeocing woik as a result of the need far there to be a re-registration 
procedure to enable the individual to use the coiBjniter network once they have moved. 
This win result in a reduction of the efficiency of the individual, which in turn will 
reduce the productivity of the organisatioa Further, with such systems it is necessary to 
have a department in the oiBanisation which is dedicated to the manual input of data 
about individuals in that organisation that are using the computer network and where 

those individuals are located. Also a system has to be set up to track and monitor the 
movement of individuals in the organisation, and the costs associated with such 
departmwt" «"d tmddi^ syslemsy with the increase in personnel needed, increases the 
^-Ky^ of wimiiiig a cfitnpiter netwcnk witMn an o n a misatira L 

Accoidiii^, there is a need for an APS system which fidlitates the rapid 
deployment of new entities onto an onBne servioci whidi be an individual or a 
piece of inftastnicture such as networic hardware eg. switches and woikstations, and 
software eg. firewaDs, openrting systems and mafl servers. Ftother there is a need to 
reduce costs and improve efficiency by the removal of the manual assi gnment of 
registration and trackn« processes. There is the need fer the fiat and relw^ 
to mftaslructurei together with the ability to expand and integrate ejd^ 
associated infrastructuiBS. In turn, there is the need for the fiicility to consolidate 
distinct networks, s^ following an acqtnad«i of another networic by an ofgamsation, 
eg. after the merger of organisations. There is also the need fi»r the automation 
traddng and registration of user entities from one iirteniet protocol address to another, 
which may be controned by a single logical repository fijr all entity informatioD, 
thadiy making the online service more user friendly, fester and more flexible to use. 

Further, in service providers who are operating online services on bdttJf of 
other organisations there is the need to be able to manage eadi organisation's 
information in a separate logical partition of the single informatiori repository and 
appfy branding to the administration and r^stration interfeces that are specific to each 
oiganisalitin. There is also the need for the systems that provide the online services to 
be able to determme the logical partition to be used within the single repository when 
authenticating and authorising users to use Ae (»dine services 



SUMNiARY OF THE INVENTION 

According to the present invention fliere is provided an automated provisioning 
system adapted t use an LDAP or X500 compatible directory enabled iufoiiuation 
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repository, the system conqirismg a service manager adapted to inter&ce ^th the 
infbnnatio& repositoiy and con^xmeots of a distributed dectronic sptem^ wheran the 
informatioii repository oomimses a scalable data model, vdiendn the service manager is 
adapted to log on to a directory and interacts tho^th to create, ddet^ amend and/or 
seardi for information in the information repo^oiy and ^dierein the data model 
conqnis^ domains; which domains conqprise object types of users, services; profiles 
and infirastructure; 

and v/hmsB die data model conqnises configuration objects, wbkik objects conqirise 
one or more of a profile service configuration otyect, a user service configuration 
object and a service mfiastnicture conjuration oibjec^ 

sudi that a user is as^gned to a profile, vMA profile is adq>ted to access a pluxality of 
services; vtAodi services run on inftastnictur^ 

In a prefored embodiment the core conaponents include an Admimstraticm Inter&ce 
for creation ci services and user d(»natns and fin* the genentticm of rqxnts and an 
Inteiftce Manager (Stoiy Processor ™) for die f^^jstration of users of die online 
services and fi»r the presentatbn and cdlecdoti of infiammtion finom adnunistrators and 
that rdate to the usage of the oi^Sne services. Togedier die Service Manager, 
administration tool and Ihter&ce Manage control tte administration, entity registration 
and reporting functions of the system and can also extend oonti'ol to include firewalls 
and application servers, such as mail servers and news servm. Even nourcfirectoiy 
enabled infiastnicture is supported widi the use of a inediation fim^^ 

The APS system of the piesent invention may be used with infrastructures that support 
dial^in Intemet .users. This includes pools of modems, network access servers aiod 
Authentication Authc»isation Accountmg (AAA)/RADIUS severs. Intemet S^ce 
Providers (ISPs), Network Sendee Providers and Application Service Providm (ASPs) 
rely on existing PSTN and ISDN infiastnictures to allow dial-in us^ to connect to 
their NAS devices fiom homes and ofiQces: The APS systm of die present mvention 
aims to provide a service based auth^itication and authorisation to use the system and 
provides a customisable user interfiu:e for subscriber registration, together with an 
administration^p dedc The administraticm interlace allotvs the service providers to 
oeate, modify or ddete the services that diey provide as wdl as provi(fing a fiist<<iial- 
up access to the intemet. The APS system also sedcs to provide for an autcnnated cxh 
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line subscriber self-registration system via a wd) browser interface. Furth^ the APS 
system aims to allow for the configuration or reconfiguration of iufiaslructures with 
new or modified subscriber settings according to the level of access that the subscriber 
requires and ^yti«g subscribers once r^stered with the service provider, can 
subscribe to. new services or modify existing services or they can unsubscribe fipom 
services. Intemet Protocol address assignment msy be used to deliver diflfer entiated 



qualities of service to different types of subscribers, for example there may be 
residential tiers, bu^ess tiers, corporate tiers which are defined accordixig to the level 
of access required by the subsoiber and the status of that subscriber or group of 
subscribes. The RADIUS s^er provides authentication and authorisation s^ces 
using information that has been put in the Directoiy u^g the APS ^st^ to enable the 
subsoiber to access the network and there may also be a provision for the automatic 
revocation of a service after a predefined period eg. after the expiry of a subscription 
period to a service provider. The APS system sedcs to support Virtual Private 
Networidng (VPN), Virtual Portal and domain oeation with multi-user administrator 
and desk fidlities. For eadi VFN, Virtual Portal and domain the APS will also 
apply spedfic branding to the adnmnstration and registration user inter&ces. 

The APS system of the present invention may also be used by cable TV 
conq>ames. Cable conq>anies possess a Hybrid Fibre Coaxial (HFC) infiastiuctaire 
vMch delivers a high bandwidth conwmnwoatian link into a house, office or 
orgamsarion and the cable connects to a ^ditter for shared access by nnilttple devices 
eg. set-top boxesi, teleplu»ies etc. A cable company m^ provide a multitiide of 
dififerent services to which custmnm ismy subscribe eg. luxme shopfung services, diat 
services, opinion polling services, news, movie, and sports cfaanod services, call 
waiting, diversion and call baniqg services etc 

The APS system , of the mventioii, in addition to die fidfittes it [novides 
Service Providers as discussed also aims to provide the asagnment of cable modem IP 
addresses u^ Dkectory oiabled DHCP or Dhectoiy enabled Bootstrap Protocol 
^OOTP) and to assign cable mod&aa boot files and appropriate TFTP s&cvm to 
mod^ns to retrieve boot configuration files. Th^ is also the providon of a dynamic 
link between a cable modem, workstation and the subscriber whidi asasts in the 
prevention of thefts firom the service as the subscribe can be traced. Further the APS 
features include the providon of support for all MCNS compliant cable modmis and as 
for the APS system, aims to allow for hrow^g and seardnng of the directory store. 

The APS system of the invention aims to be fiiDy extensible to satisfy spedfic 
business requirements, vMdi can range firan the indudon of extra directory easbled 
sarver components such as RADIUS server components for an ISP, to an additional 
inter&oe to support an existing or legacy system or workflow and billing systems. The 
APS systm also aims to support an extensible sdieme for adding new object types to 
an LDAP/X.SOO directory as new types of networic infiastructure are added 
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Also, fee APS can be used wMun enterprises such a coiporatioos or offices or mofiy a 
netvroik of users which provide intranet, extranet and remote access services to Aeir 
workforce or users. EHiBfereiit loles wiAin an enterprise may necessitate differait service 
levels for staff and management Crasequenfly an APS system fiw an enterprise must 
indude, in addition to the systems alrauly discussed, rapid registration/depfcfyment of new 
employees and the allocation of IP addresses via DHCP winch can deliver differenliatBd 
dualities of service to differing communities of entities ^ they may provide a home user 
entity tier or a remote office tier. Ihere may be the provision fijr fte automatic revocatim 
of a service su<i as an IP address based on a defined policy. wWA may be as kii« as an 

employee remains in employment wife the enterprise, for erample contract workers. The 
APS features miy also indude web browser interfeces for access to information 

Liteifoce Manager, induding addresses in use by subnet, time in use per address. IP 
address to name assignment, inventory information per address and manuaJ suspension and 

levocatioQ of users and associated IP addresses. 

The APS system of foe present invention may also be used oompames for 
btemet services. Companies who ofifer products or services for sale over the Jatemet 
capture information fiom users regaidirjg die products and services Aey rejpare and the 
me&od of payment they vrish to use. The information can be passed to an onGne Uffing 
system or to a system wWdi Witt d*it fonds fiom their sdected cnsdit card comp^ 
information win also be used to instruct a workBow system to dispatdi foe product to the 

individual or to instruct an online server to provide foe reqiared servica 

BRIEF DESCRIPnON OF THE DRAWINGS 
In foe dnwirigs: 

figure 1 illustrates foe rdationship between the Ihterfoce, loterfece Manager. Web Server 

Service Manager and Directory of foe APS Systran according to foe invention 

Figure 2 ilhistrates how information is modded and stored within foe APS system. 

Figure 4 iDustrates foe suminatirai of base profiles phis prc^e extensions 

Figure 5 is aflow diart v«di ilhistrates a LAN (local area networic) user enlily registration 

picx:ess usiog an APS of 1bo invendcHL 

Figure 6 is a flow diart ^ch iUustrates an automated ISP subscriber self R«istralioD 
process using an APS of Ae inventiOTL 

Figure 7 is a flow chart vAidi iUustrates an automated cable subscriber self registratioii 
process using an APS of the invention. 



Figure 8 shows an APS system of an embodiment of the invention being used with a 
muhi service enterprise infiastructure. 

Figure 9 shows an APS system of an embodiment of the invention being used with a 
muhi service Internet service provider infrastructure. 

DETAILED DESCRIPTION OF AN EXEN4PLARY EMBODIMENT 
The APS system of the invention con^irises a na«e of com^^ 

a. A Service Manager 

b. Infiarmation Association Gin components 
a Information repositoiy components, for 

Open Directory DX Servers, 1I)AP servers such as Netscape Directory Servers, 
and Proprietary Mrectories such as Maxwoft Active Directori 

d. AnlnterfiiceMamiger 

e. ATriggerScrver 
£ AReport Serve- 

g. ACookie Server 

h. Infirastructure conq>onents wiiich indude; 
DHCPsCTva^ 

DNS servers 
RADIUS/AAA servOT 
Cable Modm Head End 
Cable TV Head End 

Apjdication servers such as Mail servm or News servers 
Routers 

Traffic Shapiiig Devices 

Firewalls 

PABX 

Certificate Audiorities 

The core APS component is the Service Manager as shown in figure 1, which 
manages and mtcgrates the other components. The Service Manager 5 allows for 
different software interfece components 7a and hardware components 7b to be 
developed which can communicate with the Service Manager. The Service Manager 
has a defined appBcation programming interfiw^e (API) which aDows customised dient 
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applications to be developed. The Ittterfece Manager 3, will allow for high 
customisation. The Service Manager S can inter&ce with the adnunistration tool 1 or 
the Intaface Manage 3, which in turn can inter&ce with the Web Server 2. Standard 
CORBA inter&ces 4 allows for an industry standard distributed system, as weD as a 
comprehensive inter-conmiunications architecture and security system. The Service 
Mana^ 5 can include a (firectory communication layer winch enables the Service 
Manager to work with multiple directories allowing for dealii^ witt& a number of 
zsptcts at Bjoy one time sucb as ftil-over and load shaiiqg of requests. The Service 
Manager can then in turn, be inter&ced with the Directoiy 10. The service manage 
uses the IJgfatwdglit Directoiy Access 

Diredoiy 10. The Service Manager S, adnumstration tool 1, Int^fice Manager 3 and 
IKrectoiy 10 may all reside on distinct machines nmmng any network operattpg 
systems that are siq)ported by the APS. Native applications can be developed to run on 
niadunes that ccHnnnmicate directly witih the Ser^ The]%ectc»y 10 can 

exist on a distinct server and may not be sdtuated in the same geographical location as 
the Sorvice Manager 5. 

An administration tool 1, is a stand alone program that runs on a conqmter. The 
APS of the inv^on allows application tools to make direct calls to the Service 
Manager 5, bypassing the Inter&ce Manager 3, all together. The APS supports a rai^e 
of toter&ce mechanisms allowing direct access to the Service Manager S and i^iere 
necessaiy encapsulates spedfic details within capabilities of the Inter&ce Mani^er. 
This flexibiltty allows APS to easily accommodate new interfice medianisms^ sinoply 
by phigging in a new Story Processor such as a HTML Browser 11, or an Applet 
Inter&ce if tte desired interfice mediaman is unaUe to talk directly to the Service 
Manages. 

Hie APS inchides a Tri^er Server 9 wfaidi causes opoations such as business 
rules and workflow to be triggered once an action is lo^;ed on the syirtem, for example 
it may inchide an interfice to a lega<7 billing system winch is used to collect and send 
printed bills to a customer as well as writing the information to the directory server. 

The APS also mchides a Report Server 8 which can cany oat conq)lex seardies 
on the syston and can report bade information in a spedfic way accordine to the 
requirements of the mdividual requesting that infonnationL 

Also, a Cookie Scayer 6 is induded \^ch, holds vahies tiiat are written to the 
browser 11 by the wd> server2^()^the&iterficeMiai^3i^ 



holds this infonnatioii, for example a page number, as a reference point vinch the user 
can look for when resuming a piece of work on the system. The Cookie Server acts as a 
short torn perastent ^ore of up to 24 hours. 

Also, the system taay indude Middleware which enables dififerenl types of 
software to communicate with each other. This is particularly usefal as it enables 
hantwai« ftom one manuftcturer which may be usmg a certam type of software to be 
interfiK»d with hardware from another maniiftcturer, wMdi may be using another 
software system. Tlie advantage rfthfa system is that it allows 
fiom different laeces of hardware rather than having to have a system compiismg 
universal pieces of hardware. 

The APS is fidly scalable and can support multiple Service Managers 5, 
muhiple Wd) Serven 2 that are associated with user browsers. Browsers are uaiaDy 
the primary infonnatiai management inter&ces fiv the nrtwork qrstem. 

Horizontal ScaUbility caters for an increase in the size ofthe user base and as 
this increases. Service Managers can be added, with Web Servers being load bahmced 
to handle the increased load. Ahematively, a siogle Service Manager can be used and it 
can use load balandng to make requests to multqile Directory System Agents. 

The Service Xtonagw m^ be configured in a high perfonnance configuration to 
enable high throughput of user activity at peak network times and in situations where 
there are high user loads, for example more than 10000 registrations per day. The 
Service Manager 5 uses servlet technology where each individual request creates a 
separate thread of execution. This improves server efficiency via the use of light weight 
threading models and using fijster in-process execution. The liiterfece Manager 3, 
handles peak loads of requests by queuing registration requests to the Service Manager 
5 and as requests come into the server, they are first stored in a serialised format on the 
server. The queue of n^istration njquests is then processed by the Service Ma^^ 
acts as a bufief, until there are no regstration requests re in a fawng . 

The Service Manager can sqqxtrt password enoyptimi schemes sudi as MD5, 
SHA, DES and can provide support fijr X.509 certificates. Authorisation mqr be a tvw> 

Isya mechanism required for a user-service and a service-infirastnicture system. Tbe 
benefits are that authorisation can be managed at a service level The Service Manager 

ensures network security by supportmg secure sodretsthroughcjut the sys^ COKBA 

implementations support SSL over HOP tiwrd>y ensuring security between tire 
COIfflA 4 and tiie Service Manager 5. Lwding browsers all support SSL capabilities. 
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The Service Manager 5 can support the notion of Fail over-DSA, which the 
Service Manage* can revert to in the event of Directory/DSA Mure. The Service 
Manage can siq>port multiple Inter&ce Managers that communicate with a ^gle 
SCT>ace Manager and so if the Web Server 2 or Interfece Manager 3 Ms, the systrai 
will still be available. This arrangement aUows for multiple Service Managers, eadi of 
which talks to one or more DSA. In the event of a Service Managar Ming, the overall 
system win sdll apmHto vimg the Service Manages) ibat have not Med. If a Server 
Ms as a result of load, hardware or software problemsi, no registration request will be 
lost because these requests are stored in a penustent form on the Server on whidi the 
Story Processor reades. When the Service Manager recovers from a Mure or is 
restarted, it checks whether there are any pending rp^stradon requests and then 
processes them if necessaiy. 

While the APS requires the presence of a Directoiy, such as a LDAP/X.SOO 
directory, the ^em is vendor neutral vMdx means that it can be used widi a range of 
q)ecxGccoiiq)onentsfipom different manufa^^ The APS is extensible to Ae efifect 
that if additional pieces of equipmoit are introduced to the nifrastructure, such as 
software infirastructure 7a for example a firewall, application servers^ DHCP BootP, 
DDNS and RADIUS or hardware infrastructures 7b such as Lan switches, Routers or 
Gateways, the components can int^rate with the managment of existing components. 

The Directory 10 acts as an information repoatory for information such as 
information about entities which can be defined as any person or piece of infrastructure 
requiring access to a. service and an entity's access to these resources is defined by its 
entity base profile phis extensions to that profile. Further information stored by the 
Directory 10 is information about profile polides, whidb is defined by the services that 
can be supplied by the network, information about the infi-astructure components and 
about domains. Domains are logical partitions, or sub-trees of a single physical 
LDAP/X.500 directory that a remote organisation has devolved authority for. For 
exanoqple a corporate organisation, sudi as a multi-natioxud bank may have its own 
domain whidi contrds aD the administration of that orgaiusation. Tdcos can iHDvide 
their own dial in services for organisatims that do not wish to manage their own 
pfay^cal dial in infi:astructure. In order to idoxtify and authenticate the dial in user, llie 
Telco verifies ^ vsm login details such as the user's usemame, password, caffing 
number or called number against those stored in die domain for that user. Aldxnig^ the 
APS is re^on^le for hostiiig the domain's of a user. 
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admimstralion of the domain can be taken on by the usar if they wish and this is 
furred to devolved authorir^ of the doniaia 

Figure 2 shows how the infonnation is stored by the APS systan. Users 14 are 
ffwa specific profiles 13 according to tiie requirements that th^ have for using the 
system. Based on the profiles 13 that have been recorded fi)r tiie user, liiat user win 
then have access to services 12 that are connected to the infrastructure, sudi as hard 
ware and software 7a and 7b of the system. The services 12» users 14, profile 13 and 
infiastrupture 7a,7b intei^onmiuiucate way of configuration objects such as the liser to 
service configuration d>jects X, Piofile to service configuration olgects Z and service 
to mfiastructure configuradon otgects Y. The user to service configura&m object 
collates user service attributes provided by sub-class extensions of die user profile 
vridcfa represents user q)edfic parameters whidi allow the user access to services such 
as the RADIUS usemame, RADIUS password, POP usemame and password ie the 
mail address and attributes and the WEB attributes winch aOow access to the IntenKt. 
The profile to service attributes set from the usar profiles allow the user access to 
spedfic service parameters vMdti can be used for fimctions such as maiketiiig. There 
are a g^i" the RADIUS, Mail ai»l WES passwords which aDow access to information 
such as lists and numbers of mailboxes of clients to wMdi the user can send 
information eg. for information about products. The savice to infiastructure 
configuration object takes the service attributes provided by the siib class extensions 
and replaces the service parameters so allowing configuration between RADIUS, Mail 
md WEB attiibmes. This aOows the infi-astructure to find 
a user based on the profiles ^ven for that user. 

A user entity object will contain at least the user name» password , location of 
the entity, contact infonnation, set of profiles for the entity and the authentication 
eaqmy. The profile attribute for an ^iti^ contains a reference to a base profile for an 
entity phis» and if iq[ypKcaUe» one or more profile extensions. Eadi entity wiB have at 
least one profile and posable more. 

The first profile in the entity^s set of profiles is referred to as the base profile 
and addftionai profiles are kno«n as profile extensions. A first profile toay be a base 
piofife fcff one entity but tins first profile may also be a profile extenfflon for another 
caitity. It is the core characterisfics of an entity whidi is described by the base profile. 
The profile extenaons represent refinem^its to the services that can be made available 
to the entity. Profile extensions allow customisatipn of the senace that a particular 
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entity receives, witho\rt having to create an oitirefy new profile for that entity and can 
best be conceptualised as fine tuning adjustments to the ba^c smice levd. 

Entities are granted authorisation to use a service or services by thdr 
association with entity profiles ie. s^ces are not direct^ assigned to entities but 
rather profiles are assigned to entities. And at the same time, services are assigned to 
profiles. An entity profile is a list of one or more services wMch collectivdy defines a 
level of access to an infiastnicture. These services become available to entities that are 
as^ed the respective profile. A levd of service may be ml where access to the 
service is to be denied. 

A key benefit of uaqg profiles is that diere will typcaDy be fer fewer profiles 
than the number of entities, which win amplii^ the maintenance fimction of assigniqg 
services to entities. An exanqde of an oiganisations entity profile may be as fi>llows: 
Fre-provisioned Entity Profile - inchides unregistered mtity services wMdi provide 
providonal IP to un-proviaoned or pre-provisioned entities allowiQg access to the 
registration domains only. 

Basic User profile- Incfaides ba^c-user services eg. mail service 

Admimstratian profile* Ihdudes baac<4iser service aiMl adnmustration services, which 

provides adnunistration rig^ to the APS system. 

Mobility profile- Ihchides basic-user services and did-in user services 

Hdpdesk profile- Includes bai^c^user services and query services] 

Ibman Resource profiles- Includes basic-user services and administration services. 

Figure 4 demonstrates the logicd summing of a base profile with an extenson 
profile, to create a single virtud profile that is an aggr^ate of the two co^^)onent 
profiles. However, there is one notable exception to this system and that is whm two 
dififerent profiles are in direct opposition to one another and in such a situation, the first 
occurence in the set of profiles is the profile that takes precedence. Typically, this will 
be the base profile as it is the base profile that defines the core charactaistics of the 
levd of service that is to be provided fyt a user. If it is the mtention of the network 
administrator to override the base profile, rather than to extoid it, then the correct 
acticm would be to replace the base profile with the profile extendon for that entity. 
The &ct that an entity can have muhqple profiles means that it is possible for tiie 
diq)lication of identicd services to occur. This can be seen m figure 4, where both 
profile C and A contam services 1 and 4. As these profiles are identical, Ihey only 
occur once in the logicd sum of the two profiles. 
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Tlie logical summation of the individual proffles for a given entity is not stored 
within the directoiy store but a dynamic stnicture is held in the service manager. When 
an entity requests a service, the service manager looks up this logical set of services 
which was created preferably when the entity session begins, to estabHsh whether the 
entity is authcoised to gain access to that particular semce. 

The use of profile extensions gives rise to a maintenance fimction, whereby a 
network administiator can periodically check for patterns of use of a certain proffle 
extenaon or extensions to enhance a ghwn base profile which could enable a user to 
gain access to fiirther services that are offered on a network. A high fieq^^ 
a particular profile extension, combined with a particular base jm^e w^ 
the netwoik adnanistiator that a new base profile for an entity whose base profile U is, 

was requiied v/tish would mcwporate the previous base profile and the profile 
exteiision services that have been used The admhnstrator wouM then create a new bw 

IR«Sle and apidty h to the i4qnroi»iate entities. 

Services are the logical association of difierent pieces of infiastrocture and/or 
existing services, which cooperate to provide the requirements of a particular entity. 
The infeistructure may be Ae network hardware such as routers, switches, 
or any other type of hardware that the APS win manage. Tl« mfiastructure m^ also be 

appHcations such as firewalls, mafl servers, operating systems or any other type of 
software tiiat the APS system \mll manage. 

The sennces mcy be abstracted fi-om the physical infirastnicture whidi provides 
the benefits of having a less complex system where in order to consider entity access 
Uie APS allows the system to consider the infi:astructure in broad terms rather then in 
terms of each of the individual components. Also, the APS allows the system to 
ieco^use patterns in the mfrastiucture requirements by recognising classes of entities. 
Rirther the APS allows ftir the separation of an entity maintenance role fiom that of the 
infiastructure mamtenance role. The use of service inheritance also means that the task 
of creating new services is snnpBfied because a network administrator may upgrade a 
new service by basii« ft on the old service and adding fiirther pieces of mfi-astructure to 

compensate for the defideocies in the old service that were noted hy the network 
administrator. Whh service inheritance there is also the feature that a base service n^ 
not be ddeted while there are services that are inherited fiort it. The q«tem 
existii^ services to rasure that there are no services vMsii. are inherited ftwn a service 
to ensure that no files are ddeted accidentally. The APS will enaWe an enteqirise to 
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create an infitistructure that is avaaable to all employees by creating a single service 
called a "user service**. Further a ^gle level of service can be provided for all 
employee which is accessed by a single dial-in service. Further if an oi^anisation has a 
router wiuch aDows access to the public domain, a service can be created such as a 
''gateway service** wfaidi relates to only a single or selected items of infrastructure. All 
other itmiscanthenbeaccessedseparately via a ''geDa:aI user service''. Also, ^diere an 
organisation has a network administratdr who wishes to take a hands on approacfa to the 
allocation of networic resources to entities and prefers to thmk in tenns of infirastnicture 
rather then m services^ then a separate service can be created for eadi piece of 
infiastructure. 

APS provides for the devolved authority of tibe Directory vfhenby a siog^e 
directcufy may store infbnnaticm sub-trees for n]ulty)le organisatioDS or sub* 
orgamsatioDs vrfudi aie provided with the fadfity to administer their own jnivate 
logical portion of the physical directory tree, independently of the service provider. The 
APS provides domain admmistration tools. The APS allows tfie adnunistraticm 
mter&oe for the directory owner to create; modify or dd^e the logical domains fiom a 
siqgle physical directory. Also the APS {Hovides an administration interftce whereby 
individual domain oiganisadons or suiM>rganisatioiis can administer tilie&r own 
domains. This includes interfeces to add, modify or delete users of a system or for 
rq)orting from the system. Further users of a given domain organisation or 
suborganisation can also administ^ thdr own personal accounts, modify their service 
levd and viewthdr usage and accounting details. 

The APS system allows for the assignment or prq>aration of resources for use 
by the entity to whidi the resources are associated. There are two types of assodadon, 
firstly associating mtities with services and secondly, associating services with 
infiastructure. 

Entity to service association, also known as ^immediate association'' is the 
process vdiereby the service/services that are spea&e& in a given entity's base profile 
Ophis any extenaons of diat profile) beconiie available to an entity. This meam ibat 
should an entity require services that are associated with a particular profile, dien they 
have acoess4o request those services. Entity to service association incorponttes the 
steps of registration, which involves id^itification and authorisation of an entity, 
followed by authorisation for the . entity to use servioes. 
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Registration is the process wh^e an entity formally introduces itsdf to the APS 
system. In this process, entity details are gathered and stored vnAm the directory store, 
^ere a unique entry is created in the directory for the entity. This stored mformation 
can then be quidcfy retrieved by the APS components. For example, a RADIUS server 
may wish to verify a usoname/password combination that has been received from a 
Remote Access Server (RAS) that a us©- of a tdecommunicadons ^em has dialed 
into to request access to a compaior LAN, The RADIUS saver retrieves the details 
rdatiqg to that user from the directory store and this includes the password that was 
q>edfied fay the user duriiig the regtstraticm process. 

As shown in figure S, ty{Hcany» evety tune a LAN user starts up thdr 
workstation, they must eitter a user nan^ phis password details in order to be able to 
log on to their LAN. DifiEerent operating systems have dififerent securi^ systems Soft 
iQg^nig into a system. APS allows for a once only registration process wfaeardsy a user 
can log onto a system without constantly needing to ie*autlienticate themsdvcis to the 
APS systent A user, for example an enqdoyee who starts wo± with and remains with 
an oigamsation for a certam period of employment can maintain their APS registration 
throughout their emplc^ment , without ever needing to change their service 
requirements. However, an enq)loyee v/bo gains a promotion tiiereby needing a 
dfiemit levd of service may wish to change their configuration, whidi th^ can do 
usirg the APS ^em of the iflvention. 

Registration is a precursor to the provision of services and only aDows an 
unr^stered entity DNS access to the re^stration process itsdi^ th^d^y dd)arring 
unauthorised users fit)m acces^g the network. Registration may occur without the 
user making any subsequ^ request for a service and as mentioned, may occur ov3y 
once for an individual or enq)loyee -who uses the saxoc workstation and whose user 
^ty is set to infinite. Registration may also be an ongoing process as in the case of a 
dial-in ISP user as shown in figure 6 or for an automated cable mod^ subscriber as 
shown in figure 7. Registration presents the availability of s^ces, it does not translate 
direct^ into actual service requests. It is the information that is stored about an entity 
duriflg the registration process that is used by the authorisation process to determine 
whedier an eiitity's siervice request wiD be granted. 

In the case of a LAN user re^stration proems as shown in figure 5. An entity 
request for a service or services initiates the process of entity identification as shown in 
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step numbered 20. The identification process atten?)t to detemrine who or what is Ae 
entity and this is done by comparing information that is part of the service request, whh 
information that is stored in the Directory such as the LDAP/X. 500 Directory; to chedc 
whether details about the entity that is making the request, are held. 

If an entity logs onto the system that has never accessed the system before and 
no drtails about the entity are held on the DireCtoiy, then access to the system is denied 
to the entiftr. An entity m tMs case would be descnbed as an anonymous entity. This 
situation toay arise wfam a new user logs onto the network or \^en a new piece of 
network infrastructure is legged onto the networic or when a new workstation is lo^ed 
onto tte netwoit Taking the case of inAen a new woifcrtation is logged onto the 
netwoik, the Media Access Control (MAC) address is not recognised by the DHCP 
server , diown ly stq) 21 and so a proviaonal IP address is ass^ 
at step 22. The granting of a provisional IP address means that Ae workstation is im- 
provisioned and in order to gain access to any netwoik services, the workstation must 
be festered by a netwcHk adnnnistrator via a r^gistndon inter&M 

The entity may have not ever accessed the syston before but the ^em may be 
pre-configured by a netwoik adamustrator to recognise tte enti^ vAien they try to 
access the system. ¥or exanq;>le» a new employee may be due to start w<wk in a fiw 
days time and before Ae employee arrives^ the admimstrator may set up a 
usemame^assword combination for that miployee. When the employee logs onto the 
system they will be identified as bdng a pre-provisioned entity shown at step 23 

When an entity makes a service request, the entity is recognised by the system 
that aheady has configuration details about the entity. If the entity is successfidly 
identified as pre-proviaoned and then provisioned, r^^stration th«i proceeds to the 
authentication process using the Service Manager as shown in step 24. If the entity is 
still recorded as bdng anonymous, access may be denied to the netwoik or altonativeiy 
will be referred to the r^jstration inter&ce, shown at step 25. 

If the user is allowed access to the system a valid TP address will be assigned to 
the woikstation m accordance with the user profiles as shown in step 27. The IHrectoiy 
and the DNS can be updated wifli new user entity/madiine details^ on a continuous 
basis as shown m step 26, which wiU allow for tiie vaHd IP address at step 27 to be 
updated m accordance with tiie requirements of the user. 

In figure 6, a similar process occurs, a user can dial into an ISP via a modem at 28 . 
A NAS server provides identification information to a RADIUS server at 29 and tfie 
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RADIUS saver looks up in fte Directoiy to wiify identificatiOT ctetafls fiir ftat user at 30. 
If Ihe user is proAosioned, Ihe RADIUS server will return an IP address ijviiich will provide 
the level of service ftat a user has been specified by a us©- profile tfiat is hdd m flie 
Directoiy at 31. If the user is not provisioned, a provisional IP can be assigned to user 
wbidi allows tibe usct to browse fte registration screm only 32. The user can ften arter 
registratira details, including details of how fliey will pay for Adr use of fte requested 
services 33 and the us& registration details can Aen be diecked on flie Directoiy to see if 
they are valid Whei the user details are stwed m flie Directory, ihe user can ibm redial 
into Ae system usii^g their new number or password allows Ae user to access fte 
system with at die level of service Aat ihey have specified 3 5 . tf die regJstratiOT details are 
not vali4 the system will not allow die user access and win register diat diere has been a 
log on failure 36. 

In the case of a cable modem subscnl)^ as stown in figure 7, Ae user connects into 
Ae system via a set-tc^) box 37, Ihe set-tq) hoK makes the DHCP request to Ae DHCP 
server v^di looks in Ae Directcay to see if MAC addresses have been assigned to a 
provisiaied user 38. If AeMAC address/serial ID of Ae user is idoitified 3, the DHCP 
SCTver returns Ae IP address and name of Ae TFTP file containing set-tt?) W 
configuratioai settings to Ae set-tqi box 40, vimli retrieves Aem fiom the TFTP s^ver. 
Ihe set-tq) box Aen omfigures itself using die TFTP file to provide Ae user wiA Ae levd 
of service Aat Aqr requested using Ae xiser profile 42. If Ae Mac address/serial ID is not 
identified, a provisiwial IP is assigned to Ae set-top box cable modem and Ae usa- is 
presented wiA a registration screen 43 . The uset can Agi eater Aar registration details and 
if diese are valid, usct details are stored in Ae Directory and a set tcq) MAC address/ serial 
numba is associated wiA the user 45. The user can Aen use Ae allocated MAC 
addiess/serial ID to log onto Ae system vAieai Aey restart Ae set-top box. If die r^^stration 
details are not found to be valid a log on &ilure will be registered. 

The auAendcation process attempts to verify Ae entities that are atteoqiting to log 
onto Ae networic There nuy be two levels of auAenticatioi for exanq>le "weak 
auAenticaticHi- wAere say Ae usor name and password is checked, <Mr •^strong 
auAentication*' vshere say a digital certificate request is made to a smart card or a finger- 
print scan takes place. The levd of auA^tication may be demanded as a fimcti(»i of Ae 
access meAod, Ae service requested or Ae geogr^Ay of Ae us^-. Once an mtity has been 
authenticated, Ae system then detennines wheAer the proven eoti^ is auAorised to use Ae 
requested smice. 
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Authorisation is an ongoing process which handles authorisation to use a 
service. Before deUvoing the requested service, the £q)pIication must first recdve the 
necessary clearance for that entity. To determine ^ch response to make, the 
q>pljcation assesses parameters sudi as the enti^s base profile phis any profile 
extensions, the entity^s network access method via a dial-in ISP request, dial-in 
direct to RAS request^ LAN request, geographical location of the entity of the time of 
access. The primary paramet^ is the entity's profile phis air^ profile &ctensions. 
Authorisation will onfy be g^en if the entity has been explicitly registered to use a 
particular service. Provided approval is g^en to the appHca&w. to grant a service 
request, the appficatiom Twy then proceed to the actual deliveiy of the service to the 
entity. Entity-service association is then said to be completed. 

Service-infiastnicture assodation then occurs wUdi invohfes configurarion of 
items of the infi^astruc^ixre spedfied by the s&vice m a vray that provides the service to 
the requesting entity. The hem, (such as the DHCP server) configures itself in a 
manner v^di is spedfic to that object. There are two types of infinstnicture 
configuraticMi, the first where use is aDowed by the entity and the second where use is 
denied to the entity. 

The APS provides user/adnmdstration interftces fi^r a range of fimctional areas 
sudi as r^stration, report/query, adnumstration, IP configuraticm, DNS management, 
VPD management and security management The APS supports the creation of user 
inter&ces using tedmologies sudi as the Browser interfiices, sq;q>lkation inter&ces and 
defined interfeces. The HTML for display by the Browser is generated or stored on 
a web server and is sarved to the user via HTTP protocols. HTML is platform 
independent and HTTP ports are generally available through firewalls. APS support for 
HTML is achieved by using an HTML adaptor contained within the Stoiy Processor 
that runs on the web server. The Stoiy Processor HTML adaptor handles data 
submitted via and HTML inter&ce and also delivers HTML inter&ces. The Story 
Processor then converts requests for service fi^om ihter&ce spedfic format into a 
generic format whidi is passed to the service manager layer. 

Ahhoug^ the APS system provides for the use of standard mterfaces, it is also 
possible for organizations to build their own inter&ces or to use existiiig intei&ces that 
tiie organisation is ak&dy using but wfaidi are adqyted by the APS system of tiie 
invention. APS inter&ces may be customized are IP configurations, security 
managem»t and VPD or dcMsain management. APS interfices wfaidi smqxHt partial 
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customisatioii eg. use of company specific logos or background images on standard 
APS inter&ces are: 

HTML based VPD intttfeces 

HTML based Registration inter&ces 

HTML based report/query interfaces 

HTML based adnunistration inter&ces 

Partial inter&ce customisatioa is refmed to as ist^fiu^ brandiiig. Inter&ce 
brandii^ involves the insertion of a compsaxy bnuid/Iogo infonnaticm into die HTML 
fimne-sets as headm and/or footers. A virtual ISP nur^ buy an ISP service fixim a 
larger ISP vMA uses the APS system of the mvention. Assunmng all the user details 
are stored and administmd using the parent ISP's mfrastructure^ any virtual ISP 
subscriber wishmg to diedc details such as account details^ would use the parent ISP's 
subscriber account maintenance mterfice. To conceal the &ct that they are usmg the 
system, the virtual ISP user could provide as jpart of their virtual ISP configuration, 
their own logos to customi» the mML interftce. 

APS inter&ces which aOowior conqdete icplaconent by a custcnnized inteifioe 
are r^istration interfeces and HTML based report/query int^&ces. The mechanism 
that allows for organizadons to buQd their own mter&ces are the same pirograonmmg 
plication Programmii^ Intafiu» (APFs) that can be invoked by standard APS user 
interfiices and these mdude Service Manager APFs and Story Processor AAaptor 
APFs. FoL example, an oiganizati<ni nu^ wi^ to publish tfaek own reg^straticm 
inter&ce u^ HTML or multiple HTML p^es to collect r^stration details. Once the 
user has traversed the HTML pages (stories) tte data is posted to the HTML adaptor 
which translates the data into an object to pass the Sendee Manager. 

APS interfiices can provide into&ce security to media such as public networks 
or insecure private networks. The APS system does not assume that standard security 
implementations such as firewalls are fiilly secure and implem^ts its own security 
model to provide measures of security required. Security measures that may be required 
are data confid^itiality, data int^pty, authratication and non»repudiation. 

The APS in^lemeots security measures u^ng Secure Sodcets Layers (SSL) 
which secure transmissions over networks and create secure sodcet connections 
between a user and a server. SSL supports multiple cryptographio techniques for 
example, RC2 or RC4 enoyption with a 40-fait key, RC4 aioyption with a 1 28-btt key 
and a MDS MAC, triple DES enoyption whh a 16g-bit key and a SHA-I MAC, RC2 
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and RC4 encryption Tvith a 40-Ut key and a MD5 MAC and no encryption with an 
MD5MAC 

The APS allows the administrators to select the type of security appropriate for 
an information exchange, for example whether credit card details are to be acquired for 
a user or whether data integrity is important. Finther, dififerent levels of security rsxsy be 
provided for according to the entity type, access method, service requested or the 
geogr^hy of the user. For exanq)le, a .mobile employee connecting to a LAN from 
abroad would require greater auth^cation to use a network than an internal employee 
who is connecting directly to the LAN. Sdection of the type of security has ^stem 
performance implications in terms of CPU processing, public key aryptog^lsy and for 
OEample, 3-way CHAP authentication involves more nrtwork trafife than 2p-way PAP. 
The APS system of the invention gives the APS admimstrator the flexibility to select 
the security tedmique that is q>pn>priate to the perfomiance^^ ^stem. 

H^^re 8 shows a schematic £igure of a multi service entetprise structure in 
whidi the APS system uses the directoiy to link a phnality of DHCP configured 
woricstations wfaidi are in turn finked to a number of servers, including a mail s^er. 
Intend server and application server. 

Hgure 9 shows a schematic figure wbidi is amtlar to that shown in figure 8 
excqpt that it shows a multi service ISP tnfiastructure. Rattio* than havii^ a number of 
DHCP configured woricstations as shown in figure 8, figure 9 shows a system where 
individuals can have aoc^ via a modem, cable modem or set top box, coipwate 
firewall or VPN to the APS controlled system. 
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L An automated provisioning system adapted to use an LDAP or X.500 
compatible directory enabled information repo^ory, the system comprising a service 
manager adapted to inter&ce with the information repo^ory and components of a 
distributed electronic system, wherein the information repositoiy conqirises a scalable 
data model, wherein the service manager is adapted to log on to a directory and 
interacts therewith to create, ddete; amend and/or search fiyr informadoh m the 
mfonnation rq>ositQfy and i^dteretn the data model comprises domains^ which domains 
cc»nprise olgect types of users^ services, profiles and infiastructuie, 
and wherein the data modd comprises configuration objects, vMch objects cominise 
one or more of a profile service configuration otgect, a user service configuration 
clgect and a service infirastructure configuration dtgect, 

such that a user is asdgned to a profile, which profile is adapted to access a plurality of 
services, wtidi services run on infrastructure. 

2. An automated pnmstoning ^stem accordii^ to Claim 1» ^erem a user service 
confijguration object configures use of the service "wbm associated with a particular 
user, a profile service configuration object configures aspects of the service vAien 
assodated with a particular profile and service infiastructure configuration object 
configures aspects of the service when assodated with a particular piece of 
infiastructure. 

3. An automated provisioning ^stem according to Claim 1 or Claim 2, in which a 
user is assigned a plurality of profiles which profiles conqnise a plurality of s^ces. 

4. An automated provisioning sj^em according to any one of Claims 1 to 3, 
wherdn the domain contains sub^omains. 
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